Network analysis Using Wireshark Lesson
By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
1. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage1
Network analysis Using Wireshark
Lesson 11:
TCP and UDP Analysis
2. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 2
• By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Lesson Objectives
3. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 3
yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:
4. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage4
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
“An investment in knowledge always pays the
best interest.”
― Benjamin Franklin
5. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 5
TCP/IP Protocol Stack
Reminder
CellularEthernet WiFi
IP ICMP
UDP TCP
RTP SMTP TelnetDNS
ARP
OSI Layer 1/2
OSI Layer 3
OSI Layer 4
OSI Layer 5-7
SCTP
SIGTRAN
SPDY
IGMP
FTPHTTPs
QUIC
HTTP
6. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 6
TCP vs. UDP
Connectivity Reliability
Connection Start
Connection End
7. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 7
• Connection-less, un-reliable protocol and therefor much
faster that TCP
• Used for:
▫ Name-resolution (DNS..)
▫ Monitoring (SNMP..)
▫ Real-time applications (RTP..)
▫ Broadcasts (NetBIOS enouncements …)
▫ Multicast applications and more
UDP Principles
8. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 8
UDP Frame Structure
source port # dest port #
32 bits
Application
data
(message)
length checksum
Source Port Source Port
Datagram checksum
Datagram length
9. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 9
UDP Example
2
3
1
10. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 10
TCP Principles
• The basic operation of the TCP in each of these areas is:
▫ Connections
▫ Full duplex data transfer
▫ Reliability
▫ Flow Control
▫ Congestion control
11. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 11
TCP Principles – Connections
• TCP mechanisms initialize and maintain status information for each data
stream.
• The combination of sockets that are composed of IP addresses and
sequence numbers, and window sizes, is called a connection.
• Each connection is uniquely specified by a pair of sockets identifying its
two sides.
• When two processes wish to communicate, they open the connection, send
the data, and then, close the connection
socket
door
TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment
12. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 12
TCP Principles – Full-Duplex Data Transfer
• TCP forwards data between end processes
• TCP packages application data, and send it in TCP segments (PDUs)
• Each byte is numbered, and get a “Sequence Number”, and sent to the
other side
• Data is sent in both directions – full duplex connection
socket
door TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment
segmentsegment
13. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 13
TCP Principles - Reliability
• TCP recovers from data that is damaged, lost, duplicated, or delivered
out of order.
• This is achieved by assigning a sequence number to each octet
transmitted, and requiring a positive acknowledgment (ACK) from the
receiving TCP.
• If the ACK is not received within a timeout interval, the data is
retransmitted.
socket
door
TCP
Send Buffer
TCP
Receive Buffer
socket
door
segment
application
writes data
application
reads data
segment
AckAck
14. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 14
Flow & Congestion Control
• Flow control:
▫ Controls the amount of data sent
by the sender.
▫ Achieved by a "window”
mechanism
• Congestion control:
▫ Try to get to the maximum
throughput of the
communication line
time
CWND
Min = MSS
MAX = RWIN
Packet
Loss
Packet
Loss
Packet
Loss
15. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 15
TCP Message Structure
32 bits
FIN – Finish
SYN – Sync
RST – Reset
PSH – Push
ACK – Acknowledge
Ack numbers to
confirm data arrival
# of bytes rcvr is
willing to accept
In case of URG
pointer, indicates
the data location
Options
Numbering of sent
data
Port Numbers
Source Port # Destination Port #
Sequence number
Acknowledge number
Rcvr. Win. SizeH.Len
F
I
N
S
Y
N
R
S
T
P
S
H
A
C
K
U
R
G
E
C
E
C
W
R
N
S
R
S
V
checksum Urgent Pointer
Options
Application data (variable length)
ECE – Echo
CWR – Congestion
Window Reduced
NS – Nonce Sum
16. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 16
• The original TCP standard (RFC 793)
▫ For more efficient use of high bandwidth networks, a larger TCP window size may
be used.
▫ The TCP window size field controls the flow of data and was originally limited to
between 2 and 65,535 bytes.
• TCP Enhancements (RFC 1323):
▫ Since the size field cannot be expanded, a scaling factor is used.
▫ The TCP window scale option, as defined in RFC 1323, is an option used to increase
the maximum window size from 65,535 bytes to 1 Gigabyte.
▫ Scaling up to larger window sizes is a part of what is necessary for TCP Tuning.
Window Size Scaling
17. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 17
• Every option begins with a 1-byte kind
that specifies the type of option.
• The first two options (with kinds of 0
and 1) are single-byte options.
• The other three are multibyte options
with a len byte that follows the kind
byte.
• The length is the total length,
including the kind and len bytes.
The Options fields
Kind=0
End of Option List
Kind=1
No Operation
Kind=2
Maximum Segment Size
Len=4 MSS
Kind=3
Window Scale factor
Len=3 Shift
Count
Kind=8
Timestamp
Len=10 Timestamp Value Timestamp Echo reply
1 Byte
18. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 18
Maximum Segment Size
Kind=2 Len=4 MSS
Example
11-0a
19. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 19
Window Scale factor
Kind=3 Len=3 Shift
Count
X =
• The TCP window scale option is an option to increase the receive window size allowed
in TCP above its former maximum value of 65,535 bytes.
Example
11-0b
20. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 20
Timestamps
Kind=8 Len=10 Timestamp Value Timestamp Echo reply
• TSV is the Timestamp Value field.
▫ It is used in conjunction with sequence number to uniquely identify segments
(since sequence numbers may wrap).
• TSER is the Timestamp Echo Reply field.
▫ This is used in ACK messages. It holds a copy of the last TSV value received.
▫ It can be used for round trip time estimation (RTT = current time - TSER).
Example
11-0c
21. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 21
TCP Message – Example
22. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 22
• Connectivity means:
▫ Before sending data – creates connection (3
way handshaking)
▫ Transfer data (will be discussed later in this
Lesson)
▫ After data was sent – close connection
The Connectivity Mechanism
S R
23. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 23
Connections State Machine
CLOSED
SYN-SENTSYN-RECEIVED
ESTABLISHED
FIN-WAIT-1
FIN-WAIT-2
LISTEN
CLOSING
TIME-WAIT
CLOSE-WAIT
LAST-ACK
Active Open
Set Up TCB
Send SYN
Passive Open
Set Up TCB
Receive SYN
Send SYN+ACK
Receive
ACK
Receive
SYN+ACK
Send ACK
Close
Send FIN
Receive FIN
Send ACK
Receive
ACK for FIN
Receive FIN
Send ACK
Receive ACK for
FIN
Receive FIN
Send ACK Timer
Expired
Wait for Application Close
Send FIN
Open –
Initiator Sequence
Open –
Responder Sequence
Receive SYN
Send ACK
Simultaneous Open
Close –
Responder Sequence
Close –
Initiator Sequence
Simultaneous Close
TCB – Transmission Control Block
24. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 24
• Client end system sends TCP SYN control segment
to server
▫ Specifies initial seq #
TCP Connectivity –
Opening Connection
• Server end system receives SYN, replies with SYN-
ACK control segment
▫ ACKs received SYN
▫ Allocates buffers
▫ Specifies server (receiver) initial seq. #
• Client end system replies with ACK control segment
▫ Confirms the connection and the numbers
received to the server
S R
25. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 25
TCP Connectivity – Opening Connection (1)
Source port – 4657
Destination port – 80
Initial sequence number – 1407979388
Next expected sequence number (Ack field) - 1407979389
S R
26. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 26
TCP Connectivity – Opening Connection (2)
Source port – 80
Destination port – 4657
Initial sequence number – 4288471013
Next expected sequence number (Ack field) –
4288471014
Ack number - 1407979389
S R
27. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 27
TCP Connectivity – Opening Connection (3)
Source port – 4657
Destination port – 80
Initial sequence number – 1407979389
Next expected sequence number (Ack field) – 1407979389
Ack number - 4288471014
S R
28. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 28
• Closing a connection is a two-way handshake,
which is done as follows:
1. Client send request to close connection
2. Server replies with Ack, client connection closed
TCP Connectivity – Connection
Termination
C S
• In most cases, since TCP works in a full
duplex mode, the connection will be closed
from both sides.
1. Server send request to close connection from his side
2. Client replies with Ack, server close connection
29. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 29
TCP Connectivity – Closing Connection (1)
30. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 30
TCP Connectivity – Closing Connection (2)
31. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 31
TCP Connectivity – Closing Connection (3)
32. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 32
TCP Connectivity – Closing Connection (4)
33. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 33
TCP Connection Management
34. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 34
TCP Window Mechanism - Stop & Wait
(b) Frame loss
A
B
frame
0
frame
1
ACK
frame
1
ACK
time
Time-out
frame
2
(c) ACK loss
A
B
frame
0
frame
1
ACK
frame
1
ACK
time
Time-out
frame
2
ACK
(a) All Frames arrives
A
B
frame
0
frame
1
ACK
frame
2
ACK
time
frame
3
ACK
No Longer in Use
35. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 35
TCP Window Mechanism – Go-Back-N
fr
0
timefr
1
fr
2
fr
3
fr
4
fr
5
fr
6
fr
3
A
C
K
1
Error
Out-of-sequence frames
fr
5
fr
6
fr
4
fr
7
fr
8
fr
9
A
C
K
2
A
C
K
3
A
C
K
4
A
C
K
5
A
C
K
6
A
C
K
7
A
C
K
8
A
C
K
9
Time-out
Frame #3 is retransmitted,
With all the following frames
Widely in use,
with improvements
36. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 36
TCP Window Mechanism – Selective Repeat
A
B
fr
0
timefr
1
fr
2
fr
3
fr
4
fr
5
fr
6
fr
2
A
C
K
1
error
fr
8
fr
9
fr
7
fr
10
fr
11
fr
12
A
C
K
2
N
A
K
2
A
C
K
7
A
C
K
8
A
C
K
9
A
C
K
1
0
A
C
K
1
1
A
C
K
1
2
A
C
K
2
A
C
K
2
A
C
K
2
Time-out
Widely in use,
with improvements
37. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 37
Selective Repeat (SACK Option, TCP)
Example
11-0d
38. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 38
Selective Ack
Example
11-0e
39. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 39
Selective Ack (Cont.)
40. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 40
Flow Control - Performance
Window Size [Bytes] = Throughput [Bytes/Sec] X RTT [Sec]
When: W < BW X DELAY
Inefficiency
When: W > BW X DELAY
Queuing in intermediate device
Potential packet loss
Throughput[Bps]
Delay [Sec]
41. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 41
Flow Control - Performance
Throughput = 0.7 * MSS / (RTT * Sqrt(PLR))
MSS - Maximum Segment Size (Bytes)
RTT - Round Trip Time (Sec)
PLR - Packet Loss Ratio (%)
Packet Loss Ratio (%)
Throughput(Mbps)
In the diagram:
MSS – 1400Bytes
RTT – 10mSec
PLR – from 0.01% to 0.03%
Throughput – up to 1MBps
42. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 42
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
43. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 43
UDP Preferences
Edit Preferences:
44. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 44
TCP Preferences
Edit Preferences:
45. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 45
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
46. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 46
UDP Message Example
SP: 61379 DP: 53
SP: 53 DP: 61379
47. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 47
UDP Statistics
Statistics Conversations:
48. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 48
Follow UDP Stream
49. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 49
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
50. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 50
Some Guidelines
Look for
irrefutable
evidence
of the
cause
Study a
specific
instance of
that
symptom
Look at
one
symptom
at a time
51. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 51
1. Connectivity problems can happen due to:
a) No response from the destination
b) Firewall of another security device that blocks
communications
c) Bad performance to the point that communications is not
possible
TCP Retransmissions – Why They Happen
2. Performance problems can happen due to:
a) Network bottlenecks
b) Non-responsive servers or clients
c) Non-responsive application
d) Delay variations (Jitter)
52. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 52
Connectivity problems (1a):
No response from the destination
Open the exercise file.
What was the problem here?
Example
11-1
53. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 53
Connectivity Problem (1b):
Security device that blocks communications
Open the exercise file. It was not possible to
connect to the Camera server 82.80.120.135.
What was the problem here?
Example
11-2
54. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 54
Connectivity Problems (1c):
Bad performance to the point of connectivity
Example11-3
Massive
retransmissions
55. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 55
Connectivity Problems (1c) (Cont.):
Bad performance to the point of connectivity
What is unique?
Why can it happen?
What should we look for?
~2.5Sec
~2.5Sec
~2.5Sec
56. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 56
Connectivity Problems (1c):
What do we see here?
Standard SYN/ACK
SYN/ACK with Selective Ack
57. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 57
Connectivity Problems (1c):
What (else..) do we see here?
Very small receiver
window size
58. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 58
Performance problems (2a):
Network Bottlenecks
1250-1300
Pkts/Sec
10Mbits/Sec
Retransmissions
Example
11-4
59. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 59
Performance problems:
Network Bottlenecks (Cont.)
10MBytes (sequences) per 10 seconds
= 10Mbits/Sec
Fix and stable
window size no
window issues
60. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 60
Performance problems (2b)
Non-responsive server (or application/s)
Is it the server or specific application?
Example 11-5
Single steam slow application
61. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 61
Performance problems (2b)
Non-responsive server (or application/s)
Example 11-6
62. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 62
Performance problems (2c):
Non-responsive application
What is unique?
Why can it happen?
Example
11-7
63. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 63
Performance problems (2d):
Delay variations (Jitter)
Example
11-8
64. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 64
Performance problems (2d):
Delay variations (Jitter)
65. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 65
Performance problems (Cont.):
Delay variations (Jitter)
Example
11-9
66. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 66
Example #1: Typical Connection Problems
Connection not opened to
81.218.31.171
(SYN / SYN / SYN)
Connection opened to
108.160.163.43
SYN / SYN-ACK / ACK
67. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 67
Example #2 – Application Freeze
Five
consecutive
retransmiss
ions
A new
connection
established
Time intervals
increase with
every
retransmission
68. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 68
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
69. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 69
• Happens when:
▫ Lost frame (RTO Expires)
• Cause:
▫ Slow server/PC
▫ Errors / Packet loss
▫ Sudden increase in delay
What Can the Reasons for
Retransmissions?
70. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 70
RTO Calculations
• Jacobson algorithm:
▫ rtt = (1-a)old_rtt + a curr_rtt
▫ mdev = (1-b)old_mdev + b curr_mdev
▫ rto = rtt + 4 * mdev
▫ a = 1/8, b = ¼ (a,b Constants)
1.000.200.100.100.100.30000.7000
0.900.200.100.100.100.28750.6875
0.800.200.100.100.100.27500.6750
0.700.200.100.100.100.26250.6625
0.600.200.100.100.100.25000.6500
0.500.200.100.100.100.23750.6375
0.400.200.100.100.100.22500.6250
0.300.200.100.100.100.21250.6125
0.200.200.100.100.100.20000.6000
0.100.200.100.100.100.18750.5875
current-rttold-rtt
current-
mdevold-mdevmdevrttrto
http://ee.lbl.gov/papers/congavoid.pdf
71. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 71
The Result - Retransmissions
Example
11-10
72. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 72
Retransmissions – What are they?
Example
11-10
73. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 73
What we see in the IO Graph
3 retransmissions
between 2 and 3
seconds
74. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 74
Performance problems (Cont.):
Delay variations (Jitter) – TCP RTO/RTT
Example
11-10
75. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 75
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
76. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 76
What are DupAck’s (Duplicate Ack’s)
and Fast Retransmissions? Example
11-10
77. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 77
Fast Retransmission – Example #2
78. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 78
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
79. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 79
Previous Segment Lost
81. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 81
And this is What We See
82. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 82
TCP Out-Of-Order Packet
84. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 84
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-
of-order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
85. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 85
TCP Window Messages –
the Sliding Window Mechanism
• In TCP, the receiver specifies the current window size in
every packet. Because TCP provides a byte-stream
connection, window sizes are expressed in bytes.
• A window is the number of data bytes that the sender is
allowed to send before waiting for an acknowledgment.
• Initial window sizes are indicated at connection setup,
but might vary throughout the data transfer to provide
flow control.
86. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 86
• TCP ZeroWindow - Occurs when a receiver advertises a receive window size of zero.
• TCP ZerowindowProbe - The sender is testing to see if the receiver's zero window
condition still exists by sending the next byte of data to elicit an ACK from the
receiver.
• TCP ZeroWindowViolation - The sender has ignored the zero window condition of the
receiver and sent additional bytes of data.
• TCP WindowUpdate - This indicates that the segment was a pure WindowUpdate
segment.
• TCP WindowFull - This flag is set on segments where the payload data in the segment
will completely fill the RX buffer on the host on the other side of the TCP session.
TCP Window Messages
87. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 87
Window Problem Example
Number of Zero
windows between 8-
16 seconds
Example
11-13
88. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 88
Zero Window Problem
89. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 89
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-
of-order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
90. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 90
• Reasons for resets:
1. Firewall the blocks connection (3 SYNs)
2. Connection inactive
3. Application initiated
Reses and Why they Happen
91. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 91
Firewall the Blocks Connection
Example
11-14
92. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 92
Layer 4 protocols - reminder
Configuring TCP and UDP preferences
for troubleshooting
Using Wireshark for UDP analysis
Using Wireshark for TCP analysis
TCP retransmission – where do they
come from and why
Duplicate ACKs and fast retransmissions
Chapter Content
Previous segment loss & out-of-
order packet events
TCP Zero Window and other
sliding-window issues
TCP resets and why they happen
Case studies
93. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 93
Example – Retransmissions and DupACKs
Retransmissions
DupACKs
94. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 94
Multiple DupACKs
Duplicate Ack’s
number 46, 47, 48
…51 for packet
number 19022
Requesting for
sequence number
14593377
Response packet
(Fast
Retransmission)
Fast
Retransmission
with the requested
sequence number
95. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 95
Exercise #1 - What is Wrong Here?
What is wrong here (Example 10-12)?
What was the problem?
96. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 96
Summary
• In this lesson we talked about:
▫ Using Wireshark for TCP and UDP
▫ TCP and UDP preferences
▫ TCP retransmissions
▫ TCP DupACK’s and Fast Retransmissions
▫ TCP Resest
▫ How to discover L4 performance and connectivity problems
97. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 97
yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to: